b'GENERAL SERVICES ADMINISTRATION\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n              AUDIT OF PBS\xe2\x80\x99S CONTROLS OVER\n            SECURITY OF BUILDING INFORMATION\n             REPORT NUMBER A070216/P/R/R08005\n                    SEPTEMBER 30, 2008\n\x0c\x0c                       AUDIT OF PBS\xe2\x80\x99S CONTROLS OVER\n                     SECURITY OF BUILDING INFORMATION\n                      REPORT NUMBER A070216/P/R/R08005\n\n                               TABLE OF CONTENTS\n                                                                                  PAGE\n\nEXECUTIVE SUMMARY                                                                   i\n\nINTRODUCTION                                                                        1\n\n     Background                                                                     1\n\n     Objective, Scope, and Methodology                                              2\n\nRESULTS OF AUDIT                                                                    4\n\n     Controls over Security Requirements are not Consistently\n     Applied Across the Regions                                                     4\n\n     PBS Security Requirements are Often not Included in Construction Contracts     9\n\n     Inclusion of Security Requirements Varied Between Contract Types              10\n\n     Contractors Adhered to Security Requirements                                  13\n\n     Contracts Should Include Requirements for Safeguarding Sensitive\n     Building Information                                                          14\n\n     Formal Training for the Project Team is Needed                                14\n\n     PBS is Currently Drafting Revisions to GSA Order, PBS 3490.1                  15\n\nCONCLUSION                                                                         15\n\nRECOMMENDATIONS                                                                    16\n\nMANAGEMENT COMMENTS                                                                16\n\nMANAGEMENT CONTROLS                                                                16\n\nAPPENDICES\n\n     Management Response                                                          A-1\n\n     Report Distribution                                                          B-1\n\x0c                         AUDIT OF PBS\xe2\x80\x99S CONTROLS OVER\n                       SECURITY OF BUILDING INFORMATION\n                        REPORT NUMBER A070216/P/R/R08005\n\nEXECUTIVE SUMMARY\n\nPurpose\n\nThe audit objective was to determine whether the Public Buildings Service (PBS) has adequate\ncontrols in place to protect sensitive building information.\n\nBackground\n\nA priority for the General Services Administration (GSA) is the physical protection of Federal\nemployees, the visiting public, and its facilities. There is a growing concern that unrestricted\nconstruction documents pose a vulnerability that could be exploited by terrorists or other\ncriminal elements. In March 2002, GSA enhanced its policy on securing building information by\nissuing GSA Order, PBS 3490.1 (PBS 3490.1) entitled, \xe2\x80\x9cDocument security for sensitive but\nunclassified paper and electronic building information.\xe2\x80\x9d The objectives of the policy were: 1)\nonly give the information to those who have a need to know, 2) keep records of who got the\ninformation, and 3) safeguard the information during use and destroy it properly after use.\n\nSince May 2007, there have been two examples of security breaches over Sensitive but\nUnclassified (SBU) information, where sensitive but unclassified building drawings were found\nin public places. In another instance, a database control weakness was identified in a PBS\nProject Information Portal containing SBU information.\n\nResults in Brief\n\nPBS needs to improve its implementation of controls over sensitive building information to\nreduce the risk of inappropriate disclosure of sensitive building information that may result in\nharm to people or property. Overall, implementation of the controls to meet the requirements for\nsafeguarding sensitive building information varied widely. The oversight practices of PBS\nproject managers and contracting officers to implement PBS security policies were inconsistent.\nThe inconsistent implementation was especially evident in the contracts, as many contracts did\nnot include the contractor\xe2\x80\x99s responsibility to use reasonable care to protect sensitive building\ninformation. While the majority of PBS staff interviewed was aware of PBS 3490.1, few had\nreceived formal training on the requirements and how to implement them. PBS is currently in\nthe process of revising the security requirements in PBS 3490.1 and may be able to use this as an\nopportunity to address many of the issues identified by our review.\n\n\n\n\n                                                i\xc2\xa0\n\n                                                                                                \xc2\xa0\n\x0cRecommendations\n\nPBS needs to take steps to ensure that controls are in place to properly protect sensitive building\ninformation. These steps include incorporating PBS 3490.1 requirements directly into the\nboilerplate Solicitation for Offers and contracts for architect and engineering, construction, and\nlease construction contracts; requiring contractors to include PBS 3490.1 requirements in their\nsubcontracts; and developing a course of action to be taken when contractors do not fulfill their\ncontractual obligations regarding the protection of SBU information. PBS should also ensure\nofficials are provided training on PBS 3490.1. This training should include encryption software\napplications available to PBS project personnel. To ensure that PBS 3490.1 requirements are\nbeing followed by PBS project teams, a system of controls should also be implemented.\n\n\n\n\n                                                ii\xc2\xa0\n\n                                                                                                  \xc2\xa0\n\x0c                          AUDIT OF PBS\xe2\x80\x99S CONTROLS OVER\n                        SECURITY OF BUILDING INFORMATION\n                         REPORT NUMBER A070216/P/R/R08005\n\n\nIntroduction\n\nBackground\n\nA priority for the General Services Administration (GSA) is the physical protection of Federal\nemployees, the visiting public, and its facilities. After the Alfred P. Murrah Federal Building\nbombing, GSA and other agencies reviewed GSA\xe2\x80\x99s construction and security criteria to find\nways to prevent such an occurrence in the future. There is a growing concern that unrestricted\nconstruction documents pose a vulnerability that could be exploited by terrorists or other\ncriminal elements. GSA must balance these legitimate security concerns with the reality that its\nbuildings and related data should be accessible to the public and that excessive security\nrestrictions might hamper competition for GSA projects.\n\nIn order to reduce the exposure to possible attacks or threats to GSA-controlled facilities, the\nPublic Buildings Service (PBS) issued a PBS Instructional Letter PBS-IL-01-3 entitled\n\xe2\x80\x9cDissemination of Sensitive but Unclassified Paper and Electronic Design and Construction\nDocuments\xe2\x80\x9d dated July 30, 2001. Sensitive but Unclassified (SBU) information was defined by\nthe policy as drawings, plans, and specifications for new or current GSA-controlled space,\nproduced specifically as contract and solicitation documents for construction purposes, or\nmaterial used to define structural analysis for facilities, for installation of security systems, or\nany documents that would disclose information about security guards or security systems of any\nkind. The objectives of this policy were to 1) diminish the potential that construction or security\nrelated documents (either paper or electronic) will be used by a person or persons with an interest\nin causing harm to persons or property, and 2) not impede the availability of necessary\ninformation to those with legitimate needs, such as the professional design community,\ncontractors, professional schools and forums, and states, cities, and towns where GSA has\nfacilities.\n\nIn March 2002, GSA enhanced its policy by issuing GSA Order, PBS 3490.1 (PBS 3490.1)\nentitled, \xe2\x80\x9cDocument security for sensitive but unclassified paper and electronic building\ninformation.\xe2\x80\x9d The objectives of the policy were essentially the same as above, with the\nprinciples of this policy being: 1) only give the information to those who have a need to know, 2)\nkeep records of who got the information, and 3) safeguard the information during use and\ndestroy it properly after use. This policy defined security requirements for proper document\nlabeling, keeping records of those obtaining SBU documents, notification of proper disposal of\nbuilding documents, and dissemination of electronic documents. As of October 2007, efforts\nwere underway to revise the policy to take into account PBS\xe2\x80\x99s reorganization, new governmental\npolicy, and technical advancements.\n\nSince May 2007, there have been two examples of security breaches over SBU information. In\nMay 2007, sensitive architectural drawings for the construction of the new Los Angeles\n                                                 1\xc2\xa0\n\n                                                                                                   \xc2\xa0\n\x0cCourthouse were discovered in a Phoenix, Arizona cemetery. And in July 2007, preliminary\nexpansion drawings for the Ysleta Border Station were found in a dumpster behind an Austin,\nTexas television studio. Also, during control testing conducted in May 2007 through July 2007\nby the GSA Office of Inspector General, access control weaknesses were identified in a number\nof databases, including a PBS Project Information Portal. This portal included sensitive design\ndocuments, housing plans, floor plans, financial data and photographs of PBS construction\nprojects.\n\nLapses in security over SBU information are not confined to the Federal Government. Recently,\ndetailed SBU documents regarding the reconstruction efforts at Ground Zero were discovered in\ntrash bins on two occasions. In the first instance, a homeless man found a set of SBU drawings\nfor the construction of the Freedom Tower in a trash bin outside a restaurant in New York City.\nAfter this story made the newspapers, two salvage experts contacted the news agency and turned\nover 300 pounds of sensitive building information related to construction projects in and around\nGround Zero, which they found in a dumpster. The New York Port Authority Inspector General\nis investigating the matter.\n\nObjective, Scope, and Methodology\n\nThe audit objective was to determine whether PBS has adequate controls in place to protect\nsensitive building information. To accomplish this audit objective we performed fieldwork\nprimarily in GSA\xe2\x80\x99s National Office, National Capital Region, Southeast Sunbelt Region, and the\nGreater Southwest Region. The scope of this review was limited to paper and removable media.\nAn additional review of the protection of sensitive building information in online environments\nis currently in progress. Results will be published under separate cover. During fieldwork, we\nperformed the following tasks:\n\n   \xe2\x80\xa2   Obtained background information including: Office of Management and Budget\n       memorandum, National Institute of Standards and Technology publications, and prior\n       GSA Office of Inspector General audit reports.\n   \xe2\x80\xa2   Reviewed policies including GSA Order PBS 3490.1, \xe2\x80\x9cDocument security for sensitive\n       but unclassified paper and electronic building information,\xe2\x80\x9d dated March 8, 2002.\n   \xe2\x80\xa2   Interviewed PBS National and Regional officials to determine what controls they have in\n       place to ensure the security of sensitive building information.\n   \xe2\x80\xa2   Interviewed three government contractors to determine what controls they have in place\n       to ensure the security of sensitive building information.\n   \xe2\x80\xa2   Analyzed 28 projects, which included 43 contract files (15 Architect and Engineering\n       (A/E), 21 prime contractors, and 7 lease construction contracts), to determine if\n       appropriate language was included in the contract regarding the security of sensitive\n       building information.\n   \xe2\x80\xa2   Reviewed government and contractor files to ensure they are maintaining documentation\n       that is required under PBS 3490.1.\n   \xe2\x80\xa2   Analyzed the proposed revisions to PBS 3490.1 currently under development.\n\n\n\n                                               2\xc2\xa0\n\n                                                                                                 \xc2\xa0\n\x0cThe audit work was conducted from November 2007 through May 2008. The audit was\nperformed in accordance with generally accepted government auditing standards.\n\n\n\n\n                                       3\xc2\xa0\n\n                                                                              \xc2\xa0\n\x0c                          AUDIT OF PBS\xe2\x80\x99S CONTROLS OVER\n                        SECURITY OF BUILDING INFORMATION\n                         REPORT NUMBER A070216/P/R/R08005\n\nResults of Audit\n\nThe Public Buildings Service (PBS) needs to improve its implementation of controls over\nsensitive building information to reduce the risk of inappropriate disclosure of sensitive building\ninformation that may result in harm to people or property. PBS defined its security requirements\nfor sensitive building data in General Services Administration (GSA) Order, PBS 3490.1 (PBS\n3490.1) entitled, \xe2\x80\x9cDocument security for sensitive but unclassified paper and electronic building\ninformation,\xe2\x80\x9d which was issued in March 2002. Overall, implementation of the controls to meet\nthe requirements for safeguarding sensitive building information varied widely. The oversight\npractices of PBS project managers and contracting officers to implement PBS security policies\nwere inconsistent. The inconsistent implementation was especially evident in the contracts, as\nmany contracts did not include the contractor\xe2\x80\x99s responsibility to use reasonable care to protect\nsensitive building information. While the majority of PBS staff interviewed was aware of PBS\n3490.1, few had received formal training in the requirements and how to implement them. PBS\nis currently in the process of revising the security requirements in PBS 3490.1 and may be able\nto use this as an opportunity to address many of the issues identified by our review.\n\nControls over Security Requirements are not Consistently Applied Across the Regions\n\nImplementation of security controls over sensitive building information is not consistently\napplied across GSA regions or projects. During our review, we examined 43 contract files to\nassess the implementation of PBS\xe2\x80\x99s Sensitive but Unclassified (SBU) information policy. In\naddition to evaluating contract files and documentation, we held discussions with the project\nmanagers and contracting officers to discern their knowledge and efforts to implement the\nsecurity requirements for SBU building information.\n\nWe tested the contract files for compliance with the following six requirements from the PBS\n3490.1:\n\nEncryption of Electronic Media \xe2\x80\x93 Was electronic media being encrypted?\n\nNotice of Disposal \xe2\x80\x93 Were disposal notices being collected from the contractors and placed in\nthe official file?\n\nLabeling of Compact Disks (CDs) containing SBU Documents \xe2\x80\x93 Were CDs containing SBU\ndocuments properly labeled?\n\nDocument Security Notice \xe2\x80\x93 Were document security notices obtained from contractors and\nplaced in the official file?\n\n\n                                                4\xc2\xa0\n\n                                                                                                  \xc2\xa0\n\x0cLabeling of Hardcopy SBU Documents \xe2\x80\x93 Were hardcopy documents containing SBU building\ninformation properly labeled?\n\nStorage of SBU Information \xe2\x80\x93 Were SBU documents properly secured?\n\nOf the six requirements, we found the least evidence for compliance with the requirement for\nEncryption of Electronic Media at 9 percent, while compliance with the requirement for the\nStorage of SBU Information was the most prevalent at 88 percent 1 . The graph below indicates\nthe frequency for each of the six requirements. As we stated above, oversight of security\nrequirements was not consistently applied across the regions. Our analysis indicated that\ncompliance by two of the regions was significantly higher than the third region. For example,\nDocument Security Notices (DSN) were observed in two regions at 92 percent and 89 percent;\nhowever in the third region DSNs were only observed 15 percent of the time.\n\n\n                                                      Oversight of Com pliance w ith Security Requirem ents\n\n\n         Encryption of Electronic\n                                                        9%\n                  Media\n\n\n                   Disposal Notices                                  25%\n\n     Labeling of CDs containing\n                                                                              39%\n          SBU Documents\n\n\n      Document Security Notice                                                                    63%\n\n     Labeling of Hardcopy SBU\n                                                                                                          73%\n             Documents\n\n\n    Storage of SBU Information                                                                                      88%\n\n\n                                         0%          10%       20%   30%    40%     50%     60%     70%       80%   90%   100%\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n We conducted our testing through interviews held with project managers and contracting officers, and performed\nphysical observations when possible. When we were unable to conduct testing of the individual requirement for a\ncontract, we excluded that contract from our sample analysis. Thus, for certain requirements, the total number of\ncontracts reviewed may be less than 43.\xc2\xa0\n                                                                               5\xc2\xa0\n\n                                                                                                                                 \xc2\xa0\n\x0cEncryption of Electronic Media\n\nWhen weighed against other contract oversight requirements, encryption of electronic media was\nthe least followed requirement at a rate of 9 percent overall, with only 3 out of 32 contracts\nfollowing the requirement. Encryption of Electronic Media is required by the PBS 3490.1 for the\ntransfer and dissemination of sensitive information outside of the GSA intranet. In addition, the\nJune 23, 2006 Office of Management and Budget Memorandum M-06-16 entitled \xe2\x80\x9cProtection of\nSensitive Agency Information\xe2\x80\x9d recommends all departments and agencies encrypt all data on\nmobile computer/devices which carry agency data unless the data is determined to be non-\nsensitive.\n\nThe use of electronic media is common practice for both GSA and its contractors. It was\ncommon to use a CD to share sensitive information between GSA and parties whom GSA or a\nprime contractor determines have a legitimate need-to-know. Although CDs may be delivered to\nintended recipients by hand, other times delivery is performed using a bonded courier, which\nmay increase the opportunity for a CD to be misplaced or delivered to an unintended party.\n\nWhen we asked project managers and contracting officers throughout the Regions about\nunencrypted CDs in their possession, the most common responses given were (1) the Architect\nand Engineering (A/E) firm did not submit encrypted CDs to GSA, (2) the computers used by\nGSA lack encryption software and (3) the encryption process is time consuming. According to\nPBS Information Security Officials, PGP\xc2\xae encryption technologies have been made available to\nRegional personnel upon request, and according to the GSA Senior Agency Information Security\nOfficer, WinZip 9.0\xc2\xae, which supports 128 and 256 AES encryption, is installed in the standard\nGSA laptop configuration. Although GSA is not required by PBS 3490.1 to encrypt a CD if it is\nnot intended for use outside of GSA, the possibility of the content of the CD being compromised\nby an unintended user is still present and the recommendation found in the M-06-16 should be\nfollowed.\n\nNotice of Disposal\n\nFor contracts containing sensitive building information, the contractor is required by PBS 3490.1\nto notify the GSA contracting officer that the contractor and its subcontractors have properly\ndisposed of the information at the time of Release of Claims. We tested compliance with the\nNotice of Disposal requirement for 16 of the 43 2 contract files in our sample and found that four\nof the 16 (25 percent) of the contract files included some form of disposal notice. Many of the\nnotices in the contract files were contractor generated e-mails or forms created by contracting\nofficers for specific projects.\n\nFor proper disposal, hardcopy drawings are required by PBS 3490.1 to be burned or shredded.\nMany hardcopy drawings are too large to be destroyed by a conventional shredder; therefore,\nmany contractors return the drawings to GSA, which may outsource the shredding.\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n2\n  Many of the contracts we reviewed were in progress and were excluded from our testing of the disposal notice\nrequirement. \xc2\xa0\n                                                               6\xc2\xa0\n\n                                                                                                                 \xc2\xa0\n\x0cLabeling CDs Containing SBU Documents\n\nThe PBS 3490.1 requires that sensitive building information in electronic format be labeled as\nfollows:\n\n                       PROPERTY OF THE UNITED STATES GOVERNMENT\n             COPYING, DISSEMINATION, OR DISTRIBUTION OF THESE DRAWINGS, PLANS,\n                  OR SPECIFICATIONS TO UNAUTHORIZED USERS IS PROHIBITED\n                                                                      Do not remove this notice\n                                                         Properly destroy documents when no longer needed\n\n\nWe verified the labeling of CDs containing SBU documents for 31 contracts and found that 12\ncontracts had CDs (39 percent) that were properly labeled. When we asked project managers and\ncontracting officers about unlabeled CDs in their possession, the most common response was\nthat A/E firms did not label the CDs before sending them to GSA. We did find that GSA had\nlabeled many of the CDs themselves after they were received from the A/E firms; however, other\nrecipients of unlabeled CDs may not correct the oversight.\n\nDocument Security Notice\n\nPBS 3490.1 emphasizes that \xe2\x80\x9cdissemination of information shall only be made upon\ndetermination that the recipient is authorized to receive it.\xe2\x80\x9d Those who disseminate sensitive\nbuilding information are required by PBS 3490.1 to obtain a signed Document Security Notice\nfrom the party to whom the information will be disseminated and maintain records of\ndisseminated DSNs to be turned over to GSA at the completion of work. The DSN validates the\nidentity of the recipient and assures that the recipient is authorized to receive the information.\nWe tested compliance with the DSN requirement for 35 of the sample contracts and found that\n22 (63 percent) of the contract files included DSN records 3 .\n\nPBS 3490.1 \xe2\x80\x9capplies to all SBU building information regarding PBS controlled space or\nprocurements to obtain PBS-controlled space, either government owned or leased\xe2\x80\xa6 and includes\nGSA space that is delegated to other Federal agencies.\xe2\x80\x9d We were told by project managers and\ncontracting officers for two of the projects without DSNs that GSA had adhered to the stricter\ndocument security protocol of the occupying agency and did not consider the DSN necessary.\nWhile certain circumstances may require adapting 3490.1, PBS needs to ensure that the intent of\n3490.1 is met and all involved parties use reasonable care when handling SBU building\ndocuments.\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n3\n    Many of the projects we reviewed were in progress, thus they were excluded from our testing.\n\xc2\xa0\n                                                                                7\xc2\xa0\n\n                                                                                                            \xc2\xa0\n\x0cLabeling of Hardcopy SBU Documents\n\nThe PBS 3490.1 requires that each page of hardcopy drawings, excluding the cover, be labeled\nas follows:\n\n                   PROPERTY OF THE UNITED STATES GOVERNMENT\n                             FOR OFFICIAL USE ONLY\n                                          Do not remove this notice\n                             Properly destroy documents when no longer needed\n\n\nIn addition, the PBS 3490.1 requires that the cover page of hardcopy drawings be labeled as\nfollows:\n\n                PROPERTY OF THE UNITED STATES GOVERNMENT\n      COPYING, DISSEMINATION, OR DISTRIBUTION OF THESE DRAWINGS, PLANS,\n           OR SPECIFICATIONS TO UNAUTHORIZED USERS IS PROHIBITED\n                                          Do not remove this notice\n                             Properly destroy documents when no longer needed\n\n\nWe tested compliance with the requirement for labeling hardcopy SBU drawings for 37\ncontracts. We found that 27 contracts (73 percent) had hardcopy drawings imprinted with the\nlabeling above. While three other hardcopy drawings did contain property notice labels, they did\nnot match the labels required by the PBS 3490.1. In two projects where drawings were not\nlabeled, the project managers and contracting officers informed us that drawings had not been\nlabeled because they did not identify building names, property locations or occupying agencies,\nso they thought they did not require SBU labels. However, the Labeling of Hardcopy SBU\nDocuments requirement still applies to all hardcopy drawings that meet PBS 3490.1 criteria for\ndetermining information requiring document security.\n\nStorage of SBU Information\n\nOf the six requirements included in our oversight analysis, the Storage of SBU Information\nrequirement was followed most. We reviewed the Storage of SBU Information for 33 contracts.\nOf the 33 contracts, we found that the Storage of SBU Information requirement was followed for\n29 contracts (88 percent.)\n\nIt is common for GSA contractors to have on-site plan rooms in which sensitive building\ninformation is available to employees and subcontractors. We visited two on-site contractor\nfacilities that contained sensitive building information and observed that the facilities were\nequipped with security devices such as monitoring alarm systems and exterior fencing. We also\nvisited GSA facilities and verified that GSA was maintaining sensitive building information in\nsecured PBS space when the information was in use and when the information was no longer\nneeded. PBS 3490.1 requires that unneeded sensitive building information be destroyed;\nhowever, GSA, the A/E firm, and the general contractor are allowed to keep necessary record\ncopies. Those record copies are required by PBS 3490.1 to be properly safeguarded throughout\nthe retention period. In GSA, such copies were stored in restricted access space.\n\n                                                    8\xc2\xa0\n\n                                                                                               \xc2\xa0\n\x0cPBS Security Requirements are Often not Included in Construction Contracts\n\nThe results of the contract file review indicate that the security requirements for sensitive\nbuilding data are not being performed consistently. The inconsistent implementation was\nespecially evident in the contracts themselves, as many contracts did not include language that\nwould obligate contractors to use reasonable care to protect sensitive building information. We\nanalyzed the contracts to determine whether they included the following requirements of PBS\n3490.1:\n\nReference to PBS 3490.1 \xe2\x80\x93 Did the contract directly reference PBS 3490.1 in its entirety?\n\nInclusion of Encryption Requirements \xe2\x80\x93 Did the contract require that the transfer and\ndissemination of SBU information beyond the GSA Intranet be encrypted?\n\nLabeling of SBU Documents \xe2\x80\x93 Did the contract require the proper labeling of electronic and\npaper SBU documents?\n\nStorage of SBU Information \xe2\x80\x93 Did the contract require the proper storage of SBU building\ninformation to be safeguarded during use?\n\nInclusion of Data Ownership \xe2\x80\x93 Did the contract specify that all drawings shall become the\nproperty of the United States Government?\n\nDocument Security Notice \xe2\x80\x93 Did the contract require those disseminating SBU building\ninformation to obtain a signed copy of a Document Security Notice from the recipient of SBU\ndocumentation?\n\nNotice of Disposal \xe2\x80\x93 Did the contract require the contractor to submit a Notice of Disposal at the\ntime of the Release of Claims?\n\nRecord Keeping Notice \xe2\x80\x93 Did the contract require the disseminator of SBU building information\nto keep records of Document Security Notices and provide those records to GSA to be kept with\nthe permanent contract file?\n\nDocument Distribution \xe2\x80\x93 Did the contract require the disseminator to limit distribution of SBU\nbuilding information to those with a need-to-know?\n\nDuring our analysis of 43 contract files, we found that direct references to GSA\xe2\x80\x99s security policy\nPBS 3490.1 or inclusion of its requirements are often lacking in GSA construction contracts.\nOnly 23 percent of the files reviewed included a copy or a direct reference to PBS 3490.1\nrequirements. Although some of the contracts in our sample contained clauses requiring the\ncontractor to adhere to the PBS Computer Aided Design (CAD) Standards and the Facilities\nStandards for the Public Buildings Service PBS P-100 whose recent versions reference PBS\n3490.1, the contractor\xe2\x80\x99s knowledge of this obligation to comply with the PBS 3490.1\n\n\n                                                9\xc2\xa0\n\n                                                                                                 \xc2\xa0\n\x0crequirements would be predicated on noticing an isolated reference in a multi-page document\nand then locating a copy of PBS 3490.1.\n\nThe full results of our analysis to determine whether or not the contract files referenced GSA\xe2\x80\x99s\nsecurity policy PBS 3490.1 or its requirements are summarized in the following chart.\n\n                     Com pliance w ith Security Requirem ents w ithin Construction Contracts\n\n\n Inclusion of Encryption Requirements              21%\n\n            Reference to PBS 3490.1                    23%\n\n          Storage of SBU Information                           36%\n\n         Labeling of SBU Documents                                   44%\n\n         Inclusion of Data Ow nership                                      54%\n\n           Document Security Notice                                          59%\n\n                   Notice of Disposal                                        59%\n\n              Record Keeping Notice                                              62%\n\n               Document Distribution                                                   69%\n\n                                        0%   10% 20%    30%    40%   50% 60%      70%    80% 90% 100%\n\n\n\n\nThe summary shows that of the nine references tested, we found that the encryption requirement\nwas included in contracts least often at a rate of 21 percent and that document distribution was\nincluded most often at a rate of 69 percent.\n\nInclusion of Security Requirements Varied Between Contract Types\n\nThe inclusion of GSA security requirements in A/E, prime, and lease construction contracts\nvaried widely. As depicted in the following graphs, prime contracts showed the highest level of\nsecurity requirements, followed by A/E contracts. Lease construction contracts included the\nleast requirements.\n\n\n\n\n                                                              10\xc2\xa0\n\n                                                                                                        \xc2\xa0\n\x0c                       Com pliance w ith Security Requirem ents w ithin Prim e Contracts\n\n\n  Inclusion of Encryption Requirements              16%\n\n             Reference to PBS 3490.1                  21%\n\n           Storage of SBU Information                           32%\n\n          Labeling of SBU Documents                                     42%\n\n          Inclusion of Data Ow nership                                    47%\n\n                 Document Distribution                                                            84%\n\n            Document Security Notice                                                              84%\n\n                    Notice of Disposal                                                            84%\n\n               Record Keeping Notice                                                              84%\n\n                                         0%   10%   20%   30%     40%     50%   60%   70%   80%   90%   100%\n\n\n\n\nDocument Security Notices were included in prime contracts 84 percent of the time. Many\nRegions followed a best practice of including a copy of a DSN within the contract and required\nprime contractors to complete this form before receiving copies of SBU information. The DSN\nis an attachment to the PBS 3490.1 that serves as an agreement by the contractor that they will\nonly disseminate SBU building information to other authorized users under the conditions set\nforth within the notice. Although the DSN includes three other requirements of the PBS 3490.1\n(document distribution, notice of disposal, and record keeping notice), the DSN doesn\xe2\x80\x99t\nencompass all the PBS 3490.1 requirements. For those requirements that were not included in\nthe DSN, inclusion into the contracts was significantly less, as shown above. Although prime\ncontracts usually included DSNs, all requirements need to be included in the contract to hold the\ncontractor responsible for properly protecting SBU building information in their possession.\n\n\n\n\n                                                          11\xc2\xa0\n\n                                                                                                               \xc2\xa0\n\x0c                         Com pliance w ith Security Requirem ents w ithin A/E Contracts\n\n\n             Reference to PBS 3490.1                        31%\n\n  Inclusion of Encryption Requirements                      31%\n\n            Document Security Notice                              38%\n\n                    Notice of Disposal                            38%\n\n               Record Keeping Notice                              38%\n\n           Storage of SBU Information                             38%\n\n                 Document Distribution                                        54%\n\n          Labeling of SBU Documents                                           54%\n\n          Inclusion of Data Ow nership                                                    77%\n\n                                         0%   10%   20%   30%   40%     50%   60%   70%   80%   90% 100%\n\n\n\n\nThree requirements were included in A/E contracts more than half the time: document\ndistribution and labeling of SBU documents at 54 percent, and data ownership at 77 percent. Six\nother requirements, as noted above, were included in A/E contracts 38 percent of the time or less.\nThese results may be affected by some of the A/E contracts in our sample being awarded shortly\nafter the implementation of PBS 3490.1. In fact, two of the A/E contracts we reviewed were\nIndefinite Delivery Indefinite Quantity (IDIQ) contracts that were awarded before the issuance of\nPBS 3490.1. However, the purchase of A/E services off these IDIQ contracts was made after the\nissuance of PBS 3490.1. Accordingly, we analyzed all task orders, contract amendments and\nmodifications and none were modified to include GSA SBU document security requirements\nafter the issuance of PBS 3490.1. To properly secure SBU building information, it is imperative\nthat the proper GSA security requirements are placed in A/E contracts.\n\n\n\n\n                                                          12\xc2\xa0\n\n                                                                                                           \xc2\xa0\n\x0c                Com pliance w ith Security Requirem ents w ithin Lease Construction Contracts\n\n\n             Reference to PBS 3490.1                14%\n\n  Inclusion of Encryption Requirements              14%\n\n            Document Security Notice                       29%\n\n                    Notice of Disposal                     29%\n\n          Inclusion of Data Ow nership                     29%\n\n          Labeling of SBU Documents                        29%\n\n               Record Keeping Notice                                   43%\n\n           Storage of SBU Information                                  43%\n\n                Document Distribution                                         57%\n\n                                         0%   10%   20%   30%    40%    50%   60%   70%   80%   90% 100%\n\n\n\n\nDocument distribution is included in lease construction contracts 57 percent of the time.\nAlthough the overall percentages are low, lease construction includes obstacles not found in\nother contracts. In lease construction, the lessor contracts with its own A/E and prime\ncontractors. Thus, the contracting officer cannot directly negotiate GSA security requirements\ninto the A/E and prime contracts. In one project, PBS realty officials requested a proposal from\nthe lessor to implement the PBS 3490.1 requirements. In response, the lessor proposed a price of\n$100,000. The tenant agency was unwilling to absorb this amount and requested reduced SBU\ndocument security requirements. To ensure GSA document security requirements are included\nin the lease, PBS should place its requirements into its boilerplate lease contract language. A\nclause should also be included in the boilerplate lease that requires the lessor to include GSA\nsecurity policies in its A/E and prime contracts. Inclusion of GSA security policies into the\nboilerplate lease should eliminate the need to negotiate potentially costly supplemental lease\nagreements for the implementation of GSA security requirements.\n\nContractors Adhered to Security Requirements\n\nWe performed site visits to two prime contractor locations, and held a teleconference with a\nthird. Two were familiar with the requirements of PBS 3490.1, and all noted that PBS\nrepresentatives had conveyed the importance of safeguarding SBU building documents. During\nour site visits, we verified that the contractors were maintaining SBU dissemination records,\nincluding obtaining DSNs from subcontractors, and were making efforts to obtain disposal\nnotices, where applicable. We also observed that SBU documents were stored in secure\nlocations.\n\nSince one of the aims of PBS\xe2\x80\x99s SBU policy is to protect sensitive building information, without\nrestrictive requirements which might hamper competition, we obtained the contractors\xe2\x80\x99 insights\non how burdensome the current SBU requirements were and how costly it was for the\n                                                           13\xc2\xa0\n\n                                                                                                           \xc2\xa0\n\x0ccontractors to meet them. None of the contractor\xe2\x80\x99s considered the SBU requirements, by\nthemselves, to be particularly burdensome or costly to fulfill. A similar query was made of the\ncontracting officers and project managers we met with during this review. Their responses\nmirrored the contractors. Most had never received complaints specifically about the SBU\nrequirements. However, as discussed previously, one lessor believed the 3490.1 requirements so\nburdensome he wanted $100,000 to implement them.\n\nContracts Should Include Requirements for Safeguarding Sensitive Building Information\n\nThe primary non-government users of SBU building information are the contractors that perform\nthe construction related work required by PBS. This is true for A/E and prime contractors on\nconstruction contracts as well as lessors for lease construction contracts. It is imperative that\nthese contractors have an understanding of PBS\xe2\x80\x99s expectations for safeguarding sensitive\nbuilding information so they can use reasonable care when handling applicable SBU documents.\nAs such, GSA should include the contractors\xe2\x80\x99 responsibilities for safeguarding sensitive building\ninformation in the contract. This should include requirements that contractors and lessors should\ninform their subcontractors working on GSA constructions projects of the requirements and\nresponsibilities for safeguarding sensitive building information. PBS should also use contractual\nlanguage to establish penalties for noncompliance. Currently, there are no statutory penalties for\nfailing to properly safeguard SBU building information. If a security breach does occur and\nthese security requirements are not included in the contract, GSA\xe2\x80\x99s ability to take action against\nthe negligent party will be limited.\n\nFormal Training for the Project Team is Needed\n\nDuring our review we found that the majority of PBS project managers and contracting officers\nwere aware of the PBS 3490.1; however, few had received training outlining the requirements or\nprocedures. PBS 3490.1 requires that Federal Government employees who handle sensitive\nbuilding information have security training in which the PBS 3490.1 and its procedures are\noutlined. When asked about training as it relates to PBS 3490.1, several project managers and\ncontracting officers replied that they had attended meetings in which the PBS 3490.1 was\ndiscussed by upper management. However, the majority replied that they had received the PBS\n3490.1 via e-mail and had not received any form of training on the document. Security training,\nas required by the PBS 3490.1, will consistently educate the project team on actions to reduce the\nrisk that sensitive building information will be used for dangerous or illegal purposes. Such\ntraining should be included in the annual training plan for PBS employees who handle sensitive\nbuilding information.\n\n\n\n\n                                               14\xc2\xa0\n\n                                                                                                 \xc2\xa0\n\x0cPBS is Currently Drafting Revisions to GSA Order, PBS 3490.1\n\nPBS has established a team to revise PBS 3490.1 to \xe2\x80\x9cprovide updated guidance to reflect changes\nissued by, among others, the White House memorandum, dated May 9, 2008, the National\nInstitute of Standards and Technology, and federal acquisition policies\xe2\x80\x9d. The President of the\nUnited States memorandum dated May 9, 2008 entitled \xe2\x80\x9cDesignation and Sharing of Controlled\nUnclassified Information,\xe2\x80\x9d adopts, defines, and institutes "Controlled Unclassified Information"\n(CUI) as the single, categorical designation henceforth throughout the executive branch for all\ninformation within the scope of that definition. This includes most information referred to as\n"Sensitive But Unclassified" (SBU) in the Information Sharing Environment\xe2\x80\x9d and \xe2\x80\x9cestablishes a\ncorresponding new CUI Framework for designating, marking, safeguarding, and disseminating\ninformation designated as CUI.\xe2\x80\x9d The memorandum establishes three new designations: (1)\n"Controlled with Standard Dissemination; (2) Controlled with Specified Dissemination; and (3)\nControlled Enhanced with Specified Dissemination", depending upon the safeguarding\nprocedures and dissemination controls deemed necessary. The PBS revision team consulted with\nthe GSA Office of General Counsel and the National Archives and Records Administration\nregarding the impact of the new requirements on PBS SBU protection policies. The team was\nadvised that the proposed revisions contain the correct terminology.\n\nConclusion\n\nPBS needs to improve its implementation of controls over sensitive building information to\nreduce the risk of inappropriate disclosure of sensitive building information that may result in\nharm to people or property. Although PBS is revising its current policies with regard to\ndocument security for sensitive but unclassified paper and electronic building information, it also\nmust make certain that proper controls are in place to ensure its policies, old or new, are\nenforced. As our findings indicate, the implementation of PBS 3490.1 security requirements has\nbeen inconsistent and needs management oversight. Project files and discussions with team\nmembers indicate inconsistent implementation of requirements, inclusion of contractor\nresponsibilities varies by contract, and formal training of GSA personnel on its security policies\nis also needed. Also, during our discussions with PBS personnel and the review of\ndocumentation, we did not encounter indications that implementation of PBS 3490.1 security\nrequirements were being verified by any PBS internal control review group. Given these issues,\nPBS needs to establish a system to ensure that its requirements for safeguarding sensitive\nbuilding information are implemented consistently on all projects.\n\n\n\n\n                                                15\xc2\xa0\n\n                                                                                                  \xc2\xa0\n\x0cRecommendations\n\nWe recommend that the PBS Commissioner:\n\n   1. Incorporate PBS 3490.1 requirements directly into the boilerplate Solicitation for Offers\n      and contracts for A/Es, construction, and lease construction contracts.\n\n           a. Require contractors to include PBS 3490.1 requirements in their subcontracts.\n\n           b. Develop a course of action to be taken when contractors do not fulfill their\n              contractual obligations regarding the protection of SBU information.\n\n   2. Ensure PBS officials are provided training on the PBS 3490.1. The training should\n      include encryption software applications available to PBS project personnel.\n\n   3. Implement a system of controls to ensure that PBS 3490.1 requirements are being\n      followed by PBS project teams.\n\nManagement Comments\n\nPBS believes the report\xe2\x80\x99s objectives are valid and accepted its three recommendations.\n\nManagement Controls\n\nAs discussed in the Objective, Scope, and Methodology of this report, the review focused on\nwhether PBS has adequate controls in place to protect sensitive building information. Related\nmanagement control issues are discussed in the context of the review findings.\n\n\n\n\n                                               16\xc2\xa0\n\n                                                                                              \xc2\xa0\n\x0cAppendices\n\n\n\n\n             \xc2\xa0\n\x0c  AUDIT OF PBS\xe2\x80\x99S CONTROLS OVER\nSECURITY OF BUILDING INFORMATION\n REPORT NUMBER A070216/P/R/R08005\n\n            Appendix A\n\n        Management Response\n\n\n\n\n               A\xc2\xa0\xe2\x80\x90\xc2\xa01\xc2\xa0\n\n                                    \xc2\xa0\n\x0c                          AUDIT OF PBS\xe2\x80\x99S CONTROLS OVER\n                        SECURITY OF BUILDING INFORMATION\n                         REPORT NUMBER A070216/P/R/R08005\n\n                                            Appendix B\n\n                                      Report Distribution\n\n                                                                  Copies\n\nCommissioner, Public Buildings Service (P)                          3\n\nRegional Administrator, National Capital Region (NCR)               1\n\nRegional Administrator, Southeast Sunbelt Region (4A)               1\n\nRegional Administrator, Greater Southwest Region (7A)               1\n\nRegional Inspector General for Auditing (NCR, JA-4, JA-7)           3\n\nRegional Inspector General for Investigation (JI-W, JI-4, JI-7)     3\n\nOffice of Inspector General (J)                                     4\n\nAssistant Inspector General for Auditing (JA, JAO)                  2\n\nAssistant Inspector General for Investigation (JI)                  1\n\nOffice of the Chief Financial Officer (B)                           1\n\nDirector, Internal Control & Audit Division (BEI)                   1\n\n\n\n\n                                               B\xc2\xa0\xe2\x80\x90\xc2\xa01\xc2\xa0\n\n                                                                           \xc2\xa0\n\x0c'